what www perl script is running?

Bill Moran wmoran at potentialtech.com
Tue Aug 25 15:13:15 UTC 2009 

In response to Paul Schmehl <pschmehl_lists at tx.rr.com>:

> --On Tuesday, August 25, 2009 07:26:04 -0500 Bill Moran 
> <wmoran at potentialtech.com> wrote:
> >>
> >> I am currently killing the process with the following bash command while I
> >> decide what to do next:
> >>
> >> $ while x=1 ; do sudo killall -9 perl5.8.9  && echo "killed..." ; sleep 15;
> >> done
> >
> > You can add an ipfw rule to prevent the script from calling home, which
> > will effectively render it neutered until you can track down and actually
> > _fix_ the problem.
> >
> > In reality, good security practice says that you should have IPFW (or some
> > other firewall) running and only allowing known good traffic right from
> > the start, which might have protected you from this in the first place.
> >
> 
> I disagree.  I used to believe this, but experience has taught me otherwise. 
> When you run a firewall on a host, you open the ports for the services you want 
> to offer.  The firewall provides you no protection at all against hackers 
> attacking the services that are listening on ports opened through the firewall. 
> All a host firewall does is consume CPU and memory and give you a warm fuzzy 
> that doesn't really add to security at all and may well make you less vigilant. 
> (And yes, I know I'm a security heretic in some quarters.)

Well, you're entitled to your opinion, but I think it's misguided.

Security isn't always about preventing a compromise.  Sometimes it's about
reducing the damage.

If he had a packet filter installed that allowed only known-good traffic,
he still might have gotten compromised through a web server, you got that
part right.

The part you missed is that the installed script needs to connect out to
talk to it's bot master.  The packet filter would have prevented this
communication, thus the rogue script would have been useless.  While the
compromise of the machine would succeed, control of the machine would not
fall into other hands, and the script would be incapable of compromising
_information_ on the machine (as it stands, you have no idea what files
that script has been sending up to the bot master ... password files, for
example?)

A side note to that.  Make sure to change each and every password, key file,
etc on that system, as they're all suspect at this point.

-- 
Bill Moran
http://www.potentialtech.com
http://people.collaborativefusion.com/~wmoran/

More information about the freebsd-questions mailing list